[Firehol-support] Simple stateless routing.
costa at tsaousis.gr
Fri Dec 16 00:42:00 GMT 2016
as you can see these are ACCEPT statements, so they will not filter
Even if these rules are removed, the connection tracker will still be in
place. To disable the connection tracker for some traffic, you have to
insert rules to disable it, like this:
iptables -t raw -I PREROUTING -j NOTRACK
Though, PREROUTING is examined before the routing decision. So, you can
only match the input interface, not the output interface.
To match inface eth3 outface eth4 you will have to match -i eth3 and the IP
address space of eth4 with -d. Example:
iptables -t raw -I PREROUTING -i eth3 -d 10.1.1.0/24 -j NOTRACK
and the opposite for eth4 -> eth3.
Why do you need to disable the connection tracker? This is generally a bad
On Thu, Dec 15, 2016 at 6:29 PM, Teun <teun at as62167.net> wrote:
> Hi all,
> I'm happily using firehol to set up firewalls on servers, but now I'd like
> to start using it for a router (without masquerading).
> Unfortunately, I cannot find an option which would allow me to limit
> connection tracking to/from the host itself instead of forwarding.
> The configuration I have so far is:
> router4 r34 inface eth3 outface eth4
> policy accept
> Results in:
> pkts bytes target prot opt in out source
> 0 0 ACCEPT icmp -- * * 0.0.0.0/0
> 0.0.0.0/0 ctstate RELATED
> 0 0 ACCEPT tcp -- * * 0.0.0.0/0
> 0.0.0.0/0 ctstate RELATED tcp flags:0x3F/0x14
> 0 0 ACCEPT all -- * * 0.0.0.0/0
> I do not wish to bother this router with connection tracking, but am
> unable to find any options in firehol which limit the tagging and these
> ctstate rules.
> Furthermore, it's unclear to me what the best practice is if I want to
> limit forwarding to a specific subnet.
> Can you please advise on this?
> Teun Kloosterman
> Firehol-support mailing list
> Firehol-support at lists.firehol.org
More information about the Firehol-support